Support

A cookie is a piece of data stored by your browser or device that helps websites like this one recognize return visitors. We use cookies to give you the best experience on BNA.com. Some cookies are also necessary for the technical operation of our website. If you continue browsing, you agree to this site’s use of cookies.

Marketing Services

Bloomberg Next marketing services allow clients to elevate their brands and extend their reach through our established and trusted expertise, enhanced with engaging event production, appealing design, and compelling messaging.

IoT Cars

In the rapidly evolving internet of things environment, federal regulators must be
flexible to accommodate change, the authors write, and they must resist the urge to
ensconce autonomous vehicle cybersecurity guidance in law.

By Darren Teshima and Ian Adams

Darren Teshima is a litigation partner at Orrick, Herrington & Sutcliffe LLP in San
Francisco. He advises leading financial institutions and tech companies in a variety
of commercial disputes, including cybersecurity and data breach insurance matters.

Ian Adams is a public policy associate in Orrick's Sacramento, Calif. office and a
senior fellow with the R Street Institute.

Concerns about the vulnerability of America's physical infrastructure have long been
at the top of mind for national security officials. But the growing threat of cyberattacks,
both state sponsored and criminal, have led state and federal officialdom to take
note. Their concern has been magnified by the increasing number of significant cybercrime
targets in the nation, including key infrastructure. In particular, the rapid expansion
of the internet of Things (IoT)—reports estimate that by 2020, there will be 30 billion
connected things and 40 percent of all data generated will come from connected sensors—has
increased the risk that this age's technological wonders may be vulnerable to unfriendly
manipulation. This IoT cybersecurity risk was highlighted by the recent distributed
denial of service (DDoS) attack that shut down sites like Twitter Inc., Spotify Ltd.
and Netflix Inc. due to an overflow of online traffic from thousands of hacked IoT
devices.

Motor vehicles, which have been incorporating IoT devices and technologies for years
and will be incorporating autonomous technologies in the coming years, might prove
a particularly tempting target to would-be malefactors. The scale and scope of the
risk to autonomous vehicles isn't yet well understood, in part because the approach
to attacking the technology is still unclear. Yet, worst case scenarios involving
hijacked vehicle control are not difficult to imagine. To that end, in part to allay
popular discomfort of the poorly-defined threat, the federal regulator charged with
vehicle safety, the National Highway Traffic Safety Administration (NHTSA), has worked
closely with industry stakeholders to develop a framework to enshrine best cybersecurity
defense practices into administrative guidance. Two recent developments in that space,
in particular, bear noting.

First, at the end of September, NHTSA released the Federal Automated Vehicle Policy
(FAVP). The policy is intended as a non-binding and evolutionary document around which
stakeholders from all interested industries (OEM, component, insurance, etc.) will
be able to gather annually to submit commentary and refine the suggestions embodied
therein. Included in the FAVP is a 15-point safety checklist which contains specific
cybersecurity recommendations.

Second, in October, NHTSA released another guidance document concerning cybersecurity:
“
Cybersecurity Best Practices for Modern Vehicles” (Best Practices). That document, which is the result of a multi-year development
process, is incorporated by reference into the FAVP and is, similarly, intended to
be nonbinding. However, unlike the FAVP's treatment of cybersecurity, the Best Practices
document offers more concrete recommendations for manufacturers to follow as they
develop their vehicles.

Both of NHTSA's cybersecurity guidance documents are susceptible to interpretation,
which is by design. The guidelines they embody did not go through notice-and-comment
rule making and are intended to be predisposed to rapid change. That said, it is of
note—and concern—that NHTSA's “
Model State Policy,” another section of the FAVP, currently suggests that state regulators adopt a regulatory
posture which, as a condition of obtaining a permit for testing, requires a manufacturer
to certify “accordance” with the 15-point checklist. In practice, it is unclear, both,
how manufacturers will accord with NHTSA's vague cybersecurity guidance and which
regulator, state or federal, will actually evaluate accordance for the purpose of
obtaining testing permits. What's more, it is unclear if separate consideration to
all of the detailed recommendations in Best Practices will be necessary for a manufacturer
to certify their accordance with the FAVP's cybersecurity safety checklist item.

There are three principal cybersecurity related recommendations in the FAVP, none
of which are technical. First, manufacturers and other entities are told to incorporate
cybersecurity best practices from a collection of organizations (the National Institute
for Standards and Technology, NHTSA, SAE International, the Alliance of Automobile
Manufacturers, the Association of Global Automakers and the Automotive Information
Sharing and Analysis Center); second, the guidelines suggest that the incorporation
of all cybersecurity considerations should be well documented. Or, in NHTSA speak,
“traceable within a robust document version control environment.” Third, the guidelines
emphasize that information concerning cybersecurity threats should be shared between
industry members and that manufacturers and other entities should consider adopting
a “vulnerability disclosure policy.”

The global recommendations of the FAVP are refined in the Best Practices. NHTSA recommends
a taxonomy of five distinct cybersecurity periods in the Best Practices guidance.
Companies should:
(1) identify risks and analyze threats; (2) protect against those threats; (3) detect
attacks; (4) respond to attacks; and, (5) recover from attacks. Methodologies for
each of the periods are covered in depth in the guidance, but a theme that runs through
all of them is the notion of a “layered approach.” The notion of such an approach
is that vehicle security begins with limiting the likelihood of an attack and runs
all the way through after a vehicle is hit, at which time the attacked vehicle will
still need to be able to perform vital functions. Especially in the context of autonomous
vehicles, such an ability will be crucial.

In terms of demands on automakers which are more expansive than the FAVP, the Best
Practices recommend that firms create an executive leadership position dedicated to
cybersecurity and explicitly calls for manufacturers to account for future uses of
vehicles, the instillation of aftermarket devices, and the serviceability of systems.

In response to both documents, some critics, include sitting Sens. Edward J. Markey
(D-Mass.) and Richard Blumenthal
(D-Conn.) have called for binding standards to be set for both cybersecurity and for
autonomous vehicle regulation. U.S. Department of Transportation
(DOT) Secretary Anthony Foxx has signaled that DOT will pursue such action in the
context of autonomous vehicles, but will wait for the next administration to begin
the process. Given that recent Federal Motor Vehicle Safety Standards (FMVSS) have
taken between six and ten years to adopt, according to NHTSA Administrator Mark Rosekind,
it is unclear what form any such standards would take.

The near-term future of both documents is clearer. Both are currently undergoing revision
and were open for comment, the FAVP through Nov. 22 and the Cybersecurity Best Practices
through Nov. 28. For the manufacturers and other entities whose cybersecurity activities
are implicated by the guidance in both documents, the message from the federal government
under the Obama administration was straightforward. They were in a flexible “fact
finding” mood, but the period of voluntary compliance and permissive standards will,
sooner or later, come to an end. The prospective impact of a surprise Trump administration
on this process remains to be seen. However, if that administration takes a typically
Republican policy approach, moving forward, it is likely that the DOT will not seek
to make cybersecurity guidance mandatory. Rather, as has been articulated by Trump's
transition team, the administration will convene a “Cyber Review Team” to provide
specific recommendations to vulnerable entities.

Like autonomous vehicle technology itself, cybersecurity guidance will change rapidly
in the years to come. To ensure the flexibility necessary to accommodate that change
federal regulators should both resist the urge to ensconce guidance in law and should,
at minimum, clarify what “accordance” with the FAVP involves. Though perhaps counterintuitive,
the strength to exercise regulatory restraint will be a crucial component of bolstering
both the nation's cybersecurity and the development of autonomous vehicles.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)